Affected Products

Helpbox 4.4.0

Details

Since the login page is not encrypted (no SSL encryption layer) usernames and passwords are sent over the network in cleartext. These could be intercepted by an attacker on the same network and used to gain access to the application.

Impact

An attacker may be able to login to the application using credentials captured off the wire.

Solution

Layton advise upgrading to their newer 'ServiceDesk' product. However, if you have an active support contract, Layton may be able to provide fixes for you.